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e Trung Nguyen Hoang - @ntrung03 

* Undergraduate CS student at Purdue University 
* Focus on macOS/iOS research 

* Used to blog about CTF challenges 


Department of Computer Science 
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Agenda 


* Current state of iOS Research 
e TruEmu’s design goal 

e Implementing TruEmu 

* Using TruEmu for Research 


« TruEmu’s Future and Roadmap 
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Using real devices 


e Security Research Device Program by Apple 


A 


Security Research Device 
Property of Apple Inc 
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Using real devices 


e Security Research Device Program by Apple 
* Apple Internal devices (dev-fused devices) 
e Off-the-shelf jailbroken devices 
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Using real devices 


№ Pinned Tweet 

ах mX @ахЮтх. 9/27/19 

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent 
unpatchable bootrom exploit for hundreds of millions of iOS devices. 


wa 


Most generations of iPhones and iPads are vulnerable: from iPhone 4S 
(A5 chip) to iPhone 8 and iPhone X (A11 chip). 


axiOmX/ipwndtu 


open-source jailbreaking tool for many iOS devices 


ХӘ“ 


Ч d 
\ сом \ 
х 1 


Ах 2 (9144 тк ¥ 2k m 
Contributors Ssues Fo à: 
github.com 
GitHub - axiOmX/ipwndfu: open-source jailbreaking tool for many iOS 
devices 
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Using real devices 


e Security Research Device Program by Apple 
* Apple Internal devices (dev-fused devices) 

e Off-the-shelf jailbroken devices 

e Off-the-shelf non-jailbroken devices 

* ARM Macs 
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e Third party commercial iOS emulator 


Ч CORELLIUM HELP ACCOUNT Hayden Bleasel v 


iPhone XS (iPhone XS | 14.4.1 | 18D61 | v Jailbroken) м 
СОВЕТВАСЕ SETTINGS FRIDA 


IOMFB RTBandwidth: program M3 rt config: Батга 2, WrIrq 0, offset 0 

: clearing M3 reset 

: timebase offset - -36 

: switch to normal mode succeeded 

: load PCC M3 IMem : size 0х424с 

: load PCC M3 DMem : size 0x39f4 
App LeARMBack1light: :setBacklightEnableGated: Set backlight on 
apfs load inode internal:6107: ххх reset ino 107410 size back to 32 (from 41232) 
apfs load inode internal:6107: *** reset ino 107411 size back to 3 (from 32768) 
void IONVMeController::HandleCompletionErrors(AppleNVMeRequest х, uint32 t)::5567:DWORD 
0=0х001е0081 DWORD10-0x00000000 NVMeStatus-0x4001 
void IONVMeController::HandleCompletionErrors(AppleNVMeRequest х, uint32 t)::5567:DWORD 
0=0х001е0081 DWORD10-0x00000000 NVMeStatus-0x4001 
void IONVMeController::HandleCompletionErrors(AppleNVMeRequest х, uint32 t)::5567:DWORD 
0=0х001е0081 DWORD10-0x00000000 NVMeStatus-0x4001 
void IONVMeController::HandleCompletionErrors(AppleNVMeRequest х, uint32 t)::5567:DWORD 
0=0х001е0081 DWORD10-0x00000000 NVMeStatus-0x4001 
АррїеМУМе Assert failed: 0 == (status) ReturnRequest file: /Library/Caches/com.apple.xb 
is/Sources/IONVMeFami ly/IONVMeFami ly-557.60.1/Common/IONVMeBlockStorageDevice.cpp line: 
1245 
apfs load inode internal:6107: ххх reset ino 107421 size back to 32 (from 41232) 
apfs load inode internal:6107: ххх reset ino 107422 size back to 3 (from 32768) 
tx flush:1074: 415К051 xid 1788 tx stats: 4 260 finish 272 enter 183 wait 47 138392us c 
lose 5864us flush 107729us 
apfs load inode internal:6107: ххх reset ino 107431 size back to 3 (from 32768) 


FaceTime Calendar os Camera 
Weather 


Reminders Stocks 


Books App Store Podcasts 


ња 


Wallet Settings. 
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Emulation comes to the rescue 


e Third party commercial iOS emulator 
e VMApple 


Empezar 
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* Third party c 
e VMApple 


поопе@поопеѕ-Аіг ~ 96 /Users/noone/Library/Developer/Xcode/DerivedData/virtualization test-aumsqmjpaskqdzaqveos 
thaqqgpd/Build/Products/Debug/virtualization test /Users/noone/Desktop/AVPBooter.vmapple2.bin 


89994699affdef:132 
133c360a905c0b0:28 
20bae82b9d19aab:38 
628547459а59420:312 
9526cec925bde03:111 
ae71af5ee32b84:116 


:: Supervisor iBootStage1 for vma2, Copyright 2007-2021, Apple Inc. 
Remote boot, Board 0x20 (vma2ap)/Rev 0x0 
BUILD. TAG: iBoot-7429.41.5 


BUILD STYLE: RELEASE 


USB, SERIAL NUMBER: SDOM:01 CPID:FEO00 СРБУ:00 CPFM:03 SCEP:01 BDID:20 ECID:1122334455667788 IBFL:FD 


™ noone — lldb — 80x24 
1aad73bb1002bf0:985 
aborting autoboot due to remote boot. 
Entering iBootStage1 recovery mode, starting command prompt 
337a834f05a86eb:356 


Last login: Sun Dec 5 15:12:11 on ttys005 
noone@noones-Air ~ 96 lldb 
gdb-remote localhost:8000 
[] Process 1 stopped 
ж thread #1, name = 'CPU1', stop reason = 
frame #0: 
0х70074730: 14р x29, x30, [sp, #0x10] 
0x7007d734: ldp x20, x19, [sp], #0х20 
0x7007d738: retab 
0x7007d73c: pacibsp 
Target 0: (No executable module.) stopped. 
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оо QEMU 


. Third party commercial iOS emulator 
e VMApple 
* Aleph Security's xnu-qemu-arm64 
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Shortcomings of Aleph Security’s xnu-qemu-arm64 


e Supports only 2 iOS version 
* Limited hardware support 
» Hard to maintain and also abandoned 
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TruEmu came to the rescue 


#BHUSA 


@BlackHatEvents 


pie наг TruEmu came to the rescue 


WSA cue 


TruEmu’s design goal 


e Free-to-use iOS emulator for security research 

* Out-of-box support for a wide range of iOS versions 
» Easy to debug 

e Can be used for fuzzing 
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TruEmu's notable features 


Model actual hardware 

Support from iOS 14 to the latest iOS 16 

iPhone 6S SecureROM 

Out-of-box Kernel debugging support 

USB support (with Firmware Restore) 

Apple’s custom CPU features (SPRR/GXF, custom PAC) 

We are Open source 
http://github.com/TrungNguyen1909/qemu-t8030 
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How does a new device get modeled 


. Look for information from the device tree 

. Build a stub model and log MMIO accesses 

. Amix of dynamic and static reverse engineering the protocol 
. Write code to emulate needed responses 

. Profit 
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1. Reading the device tree 


e Can be found in iOS IPSW 
e Contains a rich amount of peripherals information for iOS 
* Used to match driver 
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1. Reading the device tree 


e Contains a rich amount of peripherals information for iOS 
* Used to match driver 


~/Projects/iOSQEMU 
>> ./dt/dt Firmware/all flash/DeviceTree.ni04ap.im4p.out gpio 
#interrupt-cells 0x00000002 
interrupt-controller || 
> compatible 67 70 69 6f 2с 74 38 30 33 30 00 67 70 69 6f 2c  |gpio,t8030.gpio, | 
173 35 6c 38.39 36 30 76 ӨӨ | 5518960х. | 
interrupt-parent 0x0000001a 
—— nli interrupts 83 00 00 00 84 00 OO 00 85 00 00 00 86 00 00 00 EVA terre TT | 
87 00 00 00 88 00 00 OO 89 00 00 00 Гкал орны | 
&gpio-int-groups 0x00000007 
——Ó- reg 00 00 10 Зс 00 00 OO OO 0000 10 00 00 00 00 09 In T 6 | 
> s8gpio-pins 0x000000d4 
AAPL , phandle 0x00000023 
device type interrupt-controller 
#address-cells 0x00000000 
role AP 
name gpio 
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2. Building the stub model 


e Map a dummy memory region to the ММО address 
* Log accesses and back trace, disassemble the related code 
e Try driving the interrupt lines to see how iOS responses 


disp0: base reg write @ 0x0000000000050030 value: 0x00000000016c0000 

stacktrace: pc: Oxfffffff00977b740 tid: Oxffffffel9b6a9d10 
Oxfffffffo0o977b740,0xfffffffO0977b6a8,0xfffffffO0977b6a8,0xfffffffO00975973c,OxfffffffO0975bd90,0xfffffffO0097473a8,0xfffffffO0097b8528,0xfffffffO097bb3a4,O0xfffffffO096f830c,Oxfff 
ffffoo8050900,0xfffffffO096f7b4c,OxfffffffOO96f6be4,OxfffffffOO96df594,O0xfffffffO096e213c,OxfffffffOO808cb78,OxfffffffO096el14e0,OxfffffffOO809a98c,OxfffffffOO7b25190,0xfffffffO 
07a30e9c ,0xfffffffoo7a021d8,0xfffffffO07a1d810,0xfffffffOO7b4a434,0xfffffffOO7b57094,0xfffffffOOS11c5f4, 


disp0: base reg write а 0x0000000000050040 value: 0x0000000001c70000 

stacktrace: pc: Oxfffffff00977b740 tid: Oxffffffel9b6a9d10 
OxfffffffO0977b740,0xfffffffO0977b6a8,0xfffffffO0977b6a8,0xfffffffO00975975c,OxfffffffO0975bd90,0xfffffffO097473a8,0xfffffffO097b8528,0xfffffffO097bb3a4,O0xfffffffO096f830c,Oxfff 
ffffo08050900,0xfffffffOO096f7bA4c,OxfffffffOO96f6be4,OxfffffffOO96df594,O0xfffffffO096e213c,OxfffffffOO808cb78,0xfffffffO096el14e0,OxfffffffOO809a98c,OxfffffffOO7b25190,0xfffffffO 
07a30e9c,O0xfffffffo07a2a021d8,0xfffffffO07a1d810,0xfffffffO07b4a434,0xfffffffOO7b5700xfffffffO0977b740,0xfffffffO0977b6a8,0xfffffffO0977b6a8,0xfffffffO0097597a0,0xfffffffO00975bd90 
,OxfffffffO097473a8,0xfffffff0097b8528,0xfffffffO097bb3a4,0xfffffffOO96f830c,OxfffffffO08050900,0xfffffffOO096f7bA4c,OxfffffffOO96f6be4,OxfffffffOO96df594,0xfffffffO096e213c,Oxff 
fffffo0808cb78,0xfffffffO0096el4eO0,OxfffffffOO0809a98c,OxfffffffOO07b25190,0xfffffffO07a30e9c,OxfffffffO07a021d8,0xfffffffO07a1d810,0xfffffffOO07b4a434,0xfffffffO07b57094,0xfffffff 
00811c5f4, 
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SPRR/GXF 


* Used in both iOS kernel and browser 
e Apple's custom privilege-level 
* New levels are created laterally from ARM's 


#BHUSA 


@BlackHatEvents 


bi chat Implementing TruEmu 


WSA cue 


SPRR/GXF 


Used in both iOS kernel and browser 


Apple's custom privilege-level 


New levels are created laterally from ARM's 

GXF: Guarded eXecution Feature 

GENTER: ELx to GLx 

GEXIT: GLx to ELx 

Guarded mode can have different page permission 
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Attribute fields for VMSAv8-64 stage 1 Block and Page descriptors 
Upper attributes Lower attributes 
63 62 59 58 55 54 53 52 51 50 1615 12111098765 4 


|| rond | юмоно ИЙ | jor "т ох | јј . 


Index: OoNNNN 


citer: 18 |та из [аг [аи [ао Гә Ге [т [е [= Га з [2 [1] 0. 


register: 


Permission: ODGGEE 


Permission bits on page table becomes index in a system register 
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Permission: ODGGEE 


« Jumping to GLx code from ELx code causes a GXF abort 
* Except: No write in ELx if exec in GLx 
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Page Protection Layer 


* PPL: Page Protection Layer 

e Security-sensitive code (Page table, TrustCache) are in PPL 

e Normal kernel code( TEXT, TEXT EXEC): 0x24ac000 bytes (= 3/MIiB) 
e PPL kernel code( PPLTEXT): 0x19844 bytes (= 102KiB) (368x smaller) 

« PPL runs in Guarded mode 

e PPL can jump to normal kernel code, but not the other way around 
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Bulletproof JIT 


* Browsers use JIT to compile JavaScript code into native code to speed up 
execution 


* |t creates a page that is both writable and executable to store the result and 
execute 
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Problem with normal JIT 


e JIT pages constantly need to change between write and execute mode 


e Changing permission would normally require trapping to kernel and some 
TLB flushes 


e Those are slow and hurt performance 
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SPRR comes to the rescue 
e Just flip the permission bit from userspace 


e pthread jit write protect np: 


Read-Execute Read-Write 

— ПОУК ХӨ, Охс118 —X» ОУК ХО, Охс110 

movk хо, Oxffff, 151 16 movk x0, Oxffff, 151 16 

movk x0, Oxf, 151 32 movk x0, Oxf, Dol e 

movk x0, 0, 151 48 movk x0, 0, 151 48 

ldr x0, [x0] ; 0х48 ldr хө, [хө] ; Oxd8 
шин . ААА —» тзг 53 6 с15 cl 5, хө 

movk x1, 0хс118 155 

movk x1, Oxffff, 151 16 movk x1, Өхс110 

movk x1, Oxf, 151 32 movk x1, Oxffff, lsl 16 

movk x1, 0, lsl 48 movk x1, Oxf, lsl 32 

tdr x8, [xi] ; Oxd9 movk x1, 0, 151 48 

mrs x9, 53 6 с15 с1 5 ldr x8, [x1] ; Oxd9 

bics xzr, x8, x9 mrs x9, 53 6.С15:01-5 


b.eq 0x24d0 b 0x24c8 
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SPRR/GXF 


e We implemented these custom CPU logics in TCG 
* New instructions need to be decoded 
* Page table permission logic needs to be modified 


e Limitation: Changes to permission register requires an expensive TLB flush 
due to QEMU TLB's limitation 
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Why we want USB Emulation? 


e Restoring: We can now install iOS like a real device 
* Networking: SSH? 
* Connect to Xcode: Install and run apps (not yet) 
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Challenges of USB Emulation 


* Problem 1: iOS only has drivers for Synopsys USB controllers 
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SYNOPSYS Solutions Products Support Company 


Home v DesignWare IP v Interface IP vw USB v DesignWare Hi-Speed USB 2.0 On-the-Go Controller 


DesignWare Hi-Speed USB 2.0 On-the-Go Controller 


The DesignWare® Hi-Speed USB 2.0 On-The-Go (HS OTG) Controller provides designers with high-quality 
USB IP for the most demanding USB 2.0 peripherals. The controller performs as a standard Hi-Speed Dual- 
Role Device (DRD), operating as either a USB 2.0 Hi-Speed peripheral, or Hi-Speed USB 2.0 Host. Based on 
Ѕупорѕуѕ success in building and deploying Hi-Speed USB 2.0 Host, Device and PHY designs, the 
DesignWare USB 2.0 HS OTG Controller incorporates Synopsys expertise in Reuse Methodology, 
Constrained Random Verification, and USB PHY interoperability to deliver flexible, quality IP in Verilog 
source. The controller is optimized for area- and power-sensitive markets such as Internet of Things (101). 


А DesignWare IP Prototyping Kit for USB 2.0 HS ОТО 
| DesignWare IP Prototyping Kits 
А DesignWare USB 2.0 Controller ЇР 
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SYNOPSYS 


Home v Desi 


SolvNetPlus 
DesignWa 


Sign In 
The DesignWare® 
USB IP for the mos | Ын 
Role Device (DRD), @ Please enter a username 


Synopsys’ success 
DesignWare USB 2 
Constrained Вапас 


А DesignWare ЇР F 


А DesignWare РЕ Need help signing in? 
А DesignWare USI 


REGISTER - CREATE ACCOUNT FORGOT PASSWORD 
#BHUSA @BlackHatEvents 
© 2022 Synopsys, Inc. #148 All Rights Reserved. | я1СРЁ 09052939 SIGN IN SUPPORT | TERMS OFUSE | PRIVACY POLICY 
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eoe Е) ~ < «7 Ф 8 github.com Ga 0, © б + 88 


<> Code 1% Pullrequests ©) Actions Ё Projects © Security |~ Insights 


Р master ~ аети / hw / usb / hcd-dwc2.c Go to file ... 


99 philmd dma: Let dma_memory_read/write() take MemTxAttrs argument ... Latest commit ba06fe8 on Sep 3, 2020 CO History 


Ах 3 contributors ~~ @ © 


1478 lines (1271 sloc) 42.3 КВ Raw Blame ev VW U 


/* 
dwc-hsotg (dwc2) USB host controller emulation 


Based on hw/usb/hcd-ehci.c and hw/usb/hcd-ohci.c 
Note that to use this emulation with the dwc-otg driver in the 


Raspbian kernel, you must pass the option "dwc otg.fiq fsm enable-0" 
on the kernel command line. е 


00 ч с пт E WY PF 
+ X 3X ЗЕ ЗЕ ЗЕ Ж 


в 
© 


e 
Some useful documentation used to develop this M 


found online (as of April 2020) at: 


PPR 
шо N B 


http://www.capital-micro.com ХУ User_ a 


PPR 
са ++ 


which has a prett СМ ption of the с ans: GM 
on page 370. Gel et ко 


https://sourceforge. 340 ИРТ: mt/ci/master/tree/docs/DataSheets/RT3050 5x V2.0 081408 0902.pdf 
which has a desit d «on о 
19 раде 130. 


в 
N 
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Challenges of USB Emulation 


e Problem 1: But iOS only has drivers for Synopsys USB controllers 


e Problem 2: Actual iPhone 11 uses newer Synopsys Dual-Role-Device, but 
documents are sparse for those 


e > We used to modify device tree to make iOS loads old drivers for Synopsys ОТО 
* We eventually implemented the new Synopsys USB controller 
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USB bus 


* There are 2 USB sides: host and device Userspace 


e iOS supports both и... „ми И 


* 10$ uses device mode to connect with PCs USB Mass Storage - m 


* QEMU does not support device mode ome Е eem. / 


Гана нов банан аж | 
— Q 


USB Host Controller 


Hardware 


USB Pot 4—— — To USB Device 
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USB bus 


* We connect the iOS VM to a Linux VM using UNIX pipes 


Device side Host side 


Software 


Controller DWC USB 


EHCI controller 
PHY Proxy USB host deo 
evice 


Unix socket 
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Emulation - Demo 
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eoo V" iOSQEMU: ./run demo.sh (-zsh) EA iOSQEMU: caffeinate -dism (-zsh) #2 iOSQEMU: ./linux.sh (qemu-system-x86_64) #3 + 


> ./run_demo.sh 


@ ітегт2 Shell Edit View Session Scripts Profiles Toolbelt Window Нер 08 é 4$? = а ә О ғіЈи 29 9:58PM 


eoo xx! ~/Projects/iOSQEMU (-zsh) 861 


9)) ./run.sh -snapshot]] 
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Emulation - Demo 


* We went through the Restore process of iOS 
e We got a bash shell and explored iOS using various commands 
e We SSHed into our iOS machine 
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Reverse Engineer - Demo 
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Reverse Engineer - Demo 


* We set breakpoints, stepping, and exploring SecureROM memory 
* We also found a bug in SecureROM that prevents it from resetting on panic 
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* We set breakpoints, $ 
* We also found a bug | 


72 


DOES MY EMULATOR" 


HAVE A BUG? 
d Бо. LN ^N 
TH а 
EK: mm ` 
va 
M 
w 


NO, IT'S SECUREROM L" 
THAT'S WRONG! > 


FROM memory 


from resetting on panic 
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Snapshot 


e Our iOS boot time is great (5s), but still not good enough for fuzzing 
* Using VM snapshots to start at the fuzzable state immediately (0.5s / cycle) 
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Code coverage 


e AFL uses code coverage to maximize the number of paths reached 
e We are running emulation using TCG, which is a JIT compiler 

« TCG compiles emulated code into basic blocks 

e > Records coverage when a block is being executed 
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USB fuzzing 


Fork 


Snapshot restore 


Send status to AFL, 
Wait for signal 


AFL Persistence mode 


USB host reads packet 


from AFL 
USB host sends USB packet 
to USB device controller 
SIGQUIT 
Panic iOS processes USB packet 
#BHUSA @BlackHatEvents 
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process timing overall results 
run time O days, 12 hrs, 32 min, 24 sec cycles done : 
last new path 0 days, O hrs, 10 min, 52 sec total paths : 
last uniq crash none seen yet uniq crashes : 
last uniq hang : © days, 4 hrs, 25 min, 7 sec uniq hangs : 
cycle progress map coverage 
now processing : 0 (0.00%) map density : 2.27% / 3.45% 
paths timed out : 0 (0.00%) count coverage : 3.62 bits/tuple 
stage progress findings in depth 
now trying : bitflip 4/1 favored paths : 1 (0.36%) 
stage execs 5802/10.6k (54.75%) new edges on 85 (30.80%) 


total execs 30.1k total crashes : © (© unique) 


exec speed : total tmouts 253 (26 unique) 
fuzzing strategy yields path geometry 
bit flips : 241/10.6k, 30/10.6k, 0/0 levels : 
byte flips : 0/0, 0/0, 0/0 pending : 
arithmetics : 0/0, 0/0, 0/0 pend fav 
known ints : 0/0, 0/0, 0/0 own finds 
dictionary : 0/0, 0/0, 0/0 imported n/a 
havoc : 0/0, 0/0 stability : 99.34% 
trim : 0.00%/649, n/a 
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Syscall fuzzing 


Snapshot restore 


Send status to AFL, 
wait for signal 


AFL Persistence mode 
End: Hint #0x33 


Read from AFL: 
Hint #0x32 


Syscall 
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Syscall fuzzing 


american fuzzy lop 2.57b (qemu-system-aarch64) 


process timing overall results 
run time : 1 days, 22 hrs, 12 min, 15 sec cycles done : 0 

last new path : 0 days, 0 hrs, 20 min, 46 sec total paths : 250 
last uniq crash : none seen yet uniq crashes : 0 
last uniq hang : © days, 4 hrs, 50 min, 25 sec uniq hangs : 86 
cycle progress map coverage 

now processing : 39 (15.60% map density : 2.91% / 11.21% 
paths timed out : 10 (4.00%) count coverage : 1.91 bits/tuple 
stage progress findings in depth 

now trying : arith 8/8 favored paths : 111 (44.40%) 
stage execs : 1446/5727 (25.25% new edges on : 146 (58.40%) 
total execs : 211k total crashes : 0 (0 unique) 

exec speed : 2.79/sec (zzzz...) total tmouts : 18.9k (86 unique) 
fuzzing strategy yields path geometry 

bit flips : 84/9544, 19/9531, 18/9505 levels : 3 

byte flips : 5/1193, 3/1180, 2/1154 pending : 238 
arithmetics : 66/61.9k, 7/67.2k, 0/8165 pend fav : 102 
known ints : 2/416, 2/1725, 2/3205 own finds : 249 
dictionary : 0/0, 0/0, 2/599 imported : n/a 

havoc : 36/3251, 0/0 stability : 94.80% 
trim : 3.40%/436, 0.00% 


[cpu000: 5%] 
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Current challenges 


* Problem 1: Timer interrupts interfere with coverage result 

e Partial Solution: Mask all interrupts 

* However, our thread is the only one running, so only simple bugs can be found 
e Problem 2: Apple does not provide KASAN builds for iOS 


e Potential solution: Hooks allocator' s functions? 
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TruEmu's future and roadmap 
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Future features 


e Framebuffer 
e Touch screen 
e Working GUI 
e SEP 

e GPU? 

e Fuzzer 
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We need you! 


* Our code is open-sourced at: 
e http://github.com/TrungNguyen1909/qemu-t8030 
* Aid our reverse engineering process through direct/indirect ways 
* Contribute to our repo 
e Support Linux on ARM Macs efforts 
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Projects that were helpful for us 


e Asahi Linux — Linux on Apple Silicon: https://asahilinux.org 
e Corellium — Linux Sandcastle, Linux M1 (abandoned): http://github.com/corellium 
e Aleph Security — xnu-qemu-arm64 (abandoned): 
e http://github.com/alephsecurity/xnu-qemu-arm64 
e National Science Foundation (NSF) under Award Number CNS-2145744 
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e 105 full emulation is hard, but it is possible! 
e iOS devices’ hardware internals and their emulation in a QEMU-based system. 
* How TruEMU can be used to enable multiple security applications 


. We hope to lower the entry barrier to iOS security research! 
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